An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. The endpoint /bic/ssoService/v1/applyCT deserializes untrusted user input, allowing an attacker to trigger Fastjson's auto-type feature to load arbitrary Java classes. By referencing a malicious class via an LDAP URL, an attacker can achieve remote code execution on the underlying system. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.
The /bic/ssoService/v1/applyCT endpoint accepts user data and deserializes it without identity verification (no authentication). Attackers can exploit the auto-type mechanism of the Fastjson library (CWE-502: deserialization of untrusted data) to load any Java class. By specifying a malicious class through an LDAP protocol URL, the attacker causes arbitrary code to be loaded and executed on the server. The entire attack is possible remotely, without any privileges or user interaction.
Attackers gain the ability to execute arbitrary code remotely on the host operating system, which in practice means taking full control of the device and potentially the entire managed physical security infrastructure.
Apply patches available from the manufacturer according to the references. Additionally, until updates are installed, it is recommended to block access to the /bic/ssoService/v1/applyCT endpoint at the firewall or WAF level and isolate the ISMP platform from public networks.
Hikvision Integrated Security Management Platform (ISMP) — applyCT component (endpoint /bic/ssoService/v1/applyCT); specific versions indicated in manufacturer references
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X